Spring-MVC，Spring-Spring-Security：无法从 sessionRegistry 获取在线用户

Question

我正在开发一个 Spring-MVC 应用程序，在该应用程序中，为了显示在线用户，我正在通过 sessionRegistry 检查用户是否在线。不幸的是，它不起作用。我不知道为什么 sessionRegistry.getAllPrincipals() 中没有内容。我也在 security-context.xml 中添加了信息，但这并没有帮助。

代码：

@Override
public boolean checkIfUserhasSession(int id) {

    Person person = this.personService.getPersonById(id);
    String email = person.getUsername();
    System.out.println("Person email is "+email);
    List<Object> principals = sessionRegistry.getAllPrincipals();
    for (Object principal : principals) {
        // It never reaches here
        System.out.println("We are in Principals list");
        if (principal instanceof User) {
              String username = ((User) principal).getUsername();
                System.out.println("Username is"+username);
                if(email.equals(username)){
                    return true;
                }

        }
    }
    return false;
}

安全上下文.xml：

<security:http>
 <security:session-management session-fixation-protection="migrateSession">
         <security:concurrency-control session-registry-ref="sessionRegistry" max-sessions="5" expired-url="/login"/>
     </security:session-management>
<security:http/>
    <bean id="sessionRegistry" 
class="org.springframework.security.core.session.SessionRegistryImpl" />

调试日志：

DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@6607a81d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6607a81d: Principal: org.springframework.security.core.userdetails.User@dde5c0af: Username: user@email.de; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 2384D4496E421247E8B668EFF598C177; Granted Authorities: ROLE_USER'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 2 of 12 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 3 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6607a81d: Principal: org.springframework.security.core.userdetails.User@dde5c0af: Username: user@email.de; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 2384D4496E421247E8B668EFF598C177; Granted Authorities: ROLE_USER'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@6607a81d: Principal: org.springframework.security.core.userdetails.User@dde5c0af: Username: user@email.de; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: 2384D4496E421247E8B668EFF598C177; Granted Authorities: ROLE_USER'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
DEBUG: org.springframework.security.web.FilterChainProxy - /checkuseronline/8550 reached end of additional filter chain; proceeding with original chain
Person email is user@email.de
User is false

请注意，我添加了 5 个会话，因此用户可以同时在多个设备上使用它......任何帮助都会很好......非常感谢。 :-)

编辑

I also added some code mentioned from the documentation, it doesn't help.

    <security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
  <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <security:custom-filter after="CONCURRENT_SESSION_FILTER"  ref="myAuthFilter" />
        <security:session-management session-authentication-strategy-ref="sas"/>
    </security:http>

<beans:bean id="myAuthFilter" class=
            "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy" ref="sas" />
        <beans:property name="authenticationManager" ref="authenticationManager" />
    </beans:bean>

    <beans:bean id="concurrencyFilter"
                class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/login" />
    </beans:bean>

    <beans:bean id="sas" class=
            "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="5" />
    </beans:bean>

    <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

我真的不知道还需要什么。你能帮忙的话，我会很高兴。非常感谢。

Answer 1

应该是“session-registry-alias”，而不是 session-registry-ref。

<security:session-management>
     <security:concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/invalid_session"/>
</security:session-management>

参考：

• http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#session-mgmt 中的第 18.3.1 节